protector_postcommon()   F
last analyzed

Complexity

Conditions 63
Paths > 20000

Size

Total Lines 183
Code Lines 102

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
eloc 102
c 0
b 0
f 0
dl 0
loc 183
rs 0
cc 63
nc 1219276896
nop 0

How to fix   Long Method    Complexity   

Long Method

Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.

For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.

Commonly applied refactorings include:

1
<?php
2
3
/**
4
 * @return bool
5
 */
6
function protector_postcommon()
7
{
8
    global $xoopsUser, $xoopsModule;
9
10
    // patch for 2.2.x from xoops.org (I know this is not so beautiful...)
11
    if (substr(@XOOPS_VERSION, 6, 3) > 2.0 && false !== stripos(@$_SERVER['REQUEST_URI'], 'modules/system/admin.php?fct=preferences')) {
12
        /* @var XoopsModuleHandler $module_handler */
13
        $module_handler = xoops_getHandler('module');
14
        $module         = $module_handler->get((int)(@$_GET['mod']));
15
        if (is_object($module)) {
16
            $module->getInfo();
17
        }
18
    }
19
20
    // configs writable check
21
    if (@$_SERVER['REQUEST_URI'] === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) {
22
        trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING);
23
    }
24
25
    // Protector object
26
    require_once dirname(__DIR__) . '/class/protector.php';
27
    $db        = XoopsDatabaseFactory::getDatabaseConnection();
28
    $protector = Protector::getInstance();
29
    $protector->setConn($db->conn);
30
    $protector->updateConfFromDb();
31
    $conf = $protector->getConf();
32
    if (empty($conf)) {
33
        return true;
34
    } // not installed yet
35
36
    // phpmailer vulnerability
37
    // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
38
    if (in_array(substr(XOOPS_VERSION, 0, 12), array('XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'))) {
39
        /* @var XoopsConfigHandler $config_handler */
40
        $config_handler    = xoops_getHandler('config');
41
        $xoopsMailerConfig = $config_handler->getConfigsByCat(XOOPS_CONF_MAILER);
42
        if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') {
43
            echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>';
44
        }
45
    }
46
47
    // global enabled or disabled
48
    if (!empty($conf['global_disabled'])) {
49
        return true;
50
    }
51
52
    // group1_ips (groupid=1)
53
    if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) {
54
        $group1_ips = $protector->get_group1_ips(true);
55
        if (implode('', array_keys($group1_ips))) {
56
            $group1_allow = $protector->ip_match($group1_ips);
57
            if (empty($group1_allow)) {
58
                die('This account is disabled for your IP by Protector.<br>Clear cookie if you want to access this site as a guest.');
0 ignored issues
show
Best Practice introduced by mambax7
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
59
            }
60
        }
61
    }
62
63
    // reliable ips
64
    $reliable_ips = @unserialize(@$conf['reliable_ips']);
65
    if (is_array($reliable_ips)) {
66
        foreach ($reliable_ips as $reliable_ip) {
67
            if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
68
                return true;
69
            }
70
        }
71
    }
72
73
    // user information (uid and can be banned)
74
    if (is_object(@$xoopsUser)) {
75
        $uid     = $xoopsUser->getVar('uid');
76
        $can_ban = count(@array_intersect($xoopsUser->getGroups(), @unserialize(@$conf['bip_except']))) ? false : true;
77
    } else {
78
        // login failed check
79
        if ((!empty($_POST['uname']) && !empty($_POST['pass'])) || (!empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass']))) {
80
            $protector->check_brute_force();
81
        }
82
        $uid     = 0;
83
        $can_ban = true;
84
    }
85
    // CHECK for spammers IPS/EMAILS during POST Actions
86
    if (@$conf['stopforumspam_action'] !== 'none') {
87
        $protector->stopforumspam($uid);
88
    }
89
90
    // If precheck has already judged that he should be banned
91
    if ($can_ban && $protector->_should_be_banned) {
92
        $protector->register_bad_ips();
93
    } elseif ($can_ban && $protector->_should_be_banned_time0) {
94
        $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
95
    }
96
97
    // DOS/CRAWLER skipping based on 'dirname' or getcwd()
98
    $dos_skipping  = false;
99
    $skip_dirnames = explode('|', @$conf['dos_skipmodules']);
100
    if (!is_array($skip_dirnames)) {
0 ignored issues
show
introduced by mambax7
The condition is_array($skip_dirnames) is always true.
Loading history...
101
        $skip_dirnames = array();
102
    }
103
    if (is_object(@$xoopsModule)) {
104
        if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) {
105
            $dos_skipping = true;
106
        }
107
    } else {
108
        foreach ($skip_dirnames as $skip_dirname) {
109
            if ($skip_dirname && false !== strpos(getcwd(), $skip_dirname)) {
110
                $dos_skipping = true;
111
                break;
112
            }
113
        }
114
    }
115
116
    // module can control DoS skipping
117
    if (defined('PROTECTOR_SKIP_DOS_CHECK')) {
118
        $dos_skipping = true;
119
    }
120
121
    // DoS Attack
122
    if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
123
        $protector->output_log($protector->last_error_type, $uid, true, 16);
124
    }
125
126
    // check session hi-jacking
127
    $masks = @$conf['session_fixed_topbit'];
128
    $maskArray = explode('/', $masks);
129
    $ipv4Mask = empty($maskArray[0]) ? 24 : $maskArray[0];
130
    $ipv6Mask = (!isset($maskArray[1])) ? 56 : $maskArray[1];
131
    $ip = \Xmf\IPAddress::fromRequest();
132
    $maskCheck = true;
133
    if (isset($_SESSION['protector_last_ip'])) {
134
        $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, $ipv6Mask);
0 ignored issues
show
Bug introduced by geekwright
It seems like $ipv6Mask can also be of type string; however, parameter $netMask6 of Xmf\IPAddress::sameSubnet() does only seem to accept integer, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

134
        $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, /** @scrutinizer ignore-type */ $ipv6Mask);
Loading history...
Bug introduced by geekwright
It seems like $ipv4Mask can also be of type string; however, parameter $netMask4 of Xmf\IPAddress::sameSubnet() does only seem to accept integer, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

134
        $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], /** @scrutinizer ignore-type */ $ipv4Mask, $ipv6Mask);
Loading history...
135
    }
136
    if (!$maskCheck) {
137
        if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'])))) {
138
            $protector->purge(true);
139
        }
140
    }
141
    $_SESSION['protector_last_ip'] = $ip->asReadable();
142
143
    // SQL Injection "Isolated /*"
144
    if (!$protector->check_sql_isolatedcommentin(@$conf['isocom_action'] & 1)) {
0 ignored issues
show
Bug introduced by mambax7
@$conf['isocom_action'] & 1 of type integer is incompatible with the type boolean expected by parameter $sanitize of Protector::check_sql_isolatedcommentin(). ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

144
    if (!$protector->check_sql_isolatedcommentin(/** @scrutinizer ignore-type */ @$conf['isocom_action'] & 1)) {
Loading history...
145
        if (($conf['isocom_action'] & 8) && $can_ban) {
146
            $protector->register_bad_ips();
147
        } elseif (($conf['isocom_action'] & 4) && $can_ban) {
148
            $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
149
        }
150
        $protector->output_log('ISOCOM', $uid, true, 32);
151
        if ($conf['isocom_action'] & 2) {
152
            $protector->purge();
153
        }
154
    }
155
156
    // SQL Injection "UNION"
157
    if (!$protector->check_sql_union(@$conf['union_action'] & 1)) {
0 ignored issues
show
Bug introduced by mambax7
@$conf['union_action'] & 1 of type integer is incompatible with the type boolean expected by parameter $sanitize of Protector::check_sql_union(). ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

157
    if (!$protector->check_sql_union(/** @scrutinizer ignore-type */ @$conf['union_action'] & 1)) {
Loading history...
158
        if (($conf['union_action'] & 8) && $can_ban) {
159
            $protector->register_bad_ips();
160
        } elseif (($conf['union_action'] & 4) && $can_ban) {
161
            $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
162
        }
163
        $protector->output_log('UNION', $uid, true, 32);
164
        if ($conf['union_action'] & 2) {
165
            $protector->purge();
166
        }
167
    }
168
169
    if (!empty($_POST)) {
170
        // SPAM Check
171
        if (is_object($xoopsUser)) {
172
            if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) {
173
                $protector->spam_check((int)$conf['spamcount_uri4user'], $xoopsUser->getVar('uid'));
174
            }
175
        } elseif ($conf['spamcount_uri4guest']) {
176
            $protector->spam_check((int)$conf['spamcount_uri4guest'], 0);
177
        }
178
179
        // filter plugins for POST on postcommon stage
180
        $protector->call_filter('postcommon_post');
181
    }
182
183
    // register.php Protection - both core and profile module have a register.php
184
    // There should be an event to trigger this check instead of filename sniffing.
185
    if (basename($_SERVER['SCRIPT_FILENAME']) == 'register.php') {
186
        $protector->call_filter('postcommon_register');
187
    }
188
    return null;
189
}
190